• (0)

    EU GDPR Blog

    Rory Breen

    Which companies need both GDPR and Cyber Essentials

    Despite the GDPR being in place since the 25th May 2018, a number of companies are still unclear whether this EU regulation applies to them. Increasingly, the basic technical standard known as Cyber Essentials is also being mandated across the United Kingdom, in particular for central and local government contracts. Therefore a number of companies will need to meet both the regulation and technical standard. In this article, we explore what organisations would benefit by meeting the GDPR and also having Cyber Essentials.

    Learn more about the GDPR in the article What is the EU GDPR and why is it applicable to the whole world?

    CyberEssentials – Does it apply to my company?

    Let’s start by summarising Cyber Essentials. There are two variants of the standard: the core Cyber Essentials, which is the self-assessed version with a focus on several common technical risks, and the audited version which is known as Cyber Essentials Plus. In this article we are going to focus on the standard Cyber Essentials, however certain instances of Cyber Essentials Plus may be required for your organisation.

    CyberEssentials is primarily a UK-based technical standard, and while formally recommended by the UK Government and its Cyber department (National Cyber Security Centre), it is not a formal requirement for the majority of companies (read more about this in the table below). Since the inception of Cyber Essentials in 2014, the UK Government has recommended it for all organisations. This is meant to reduce the levels of cybersecurity risk in the government’s supply chain.



    This standard helps you in your journey to meet a basic set of technical data protection requirements of GDPR, in particular, the part about the commonly referenced term “appropriate technical and organisational measures,’’ which is referenced a total of eighty-nine times! This phrase refers to a suite of measures including processes and a mixture of technical and non-technical controls. Essentially, you would take a risk-based approach based on your specific data processing activities and attempt to mitigate those risks via a series of technical or organisational measures.

    Cyber Essentials, however, doesn’t cover data privacy at all, and its non-technical controls are basic and minimal. Since GDPR stipulates that you must be able to demonstrate ongoing compliance, what better way than meeting an already existing cyber standard as part of a wider information framework programme? Refer to the table below, which outlines instances where Cyber Essentials may be compulsory as part of the tender/contract process.

    Which companies need both GDPR and Cyber Essentials

    For more about differences between the GDPR and Cyber Essentials, read the article GDPR vs Cyber Essentials: A comparison.

    Meeting both for competitive advantage

    In our experience, most companies are failing to implement basic security controls such as “running as an administrator,” robust password management, and operating system and third-party security updates. These areas (and more) are a core requirement to gain Cyber Essentials.

    Looking at the General Data Protection Regulation and Cyber Essentials, they both have different goals and aims. They do, however, share a common theme of decreasing a company’s information security risk. In the case of GDPR, this is much wider and covers policies and procedures, as well as a data subjects’ rights, whereas Cyber Essentials focuses on a small number of easy to implement technical controls with accompanying basic policies.

    In our experience, for organisations based in the UK, we would strongly advise you to consider gaining the Cyber Essentials/Plus standard as part of your GDPR programme, as it ensures basic security controls have been implemented. For organisations based outside the UK who don’t know where to start, Cyber Essentials is a great framework, and we would advise you to informally follow it. If you offer services to UK based  companies, gaining Cyber Essentials would likely ensure you have a competitive advantage, especially for tenders and government contracts.

    Learn more about what needs to be done to get compliant with EU GDPR in this free online training: EU GDPR Foundations Course.


    About the author:

    Rory Breen runs a Cyber Focused IT and Compliance related business, that is also a Cyber Essentials and IASME Certification Body. He has over 25 years’ experience in operational IT support and delivery. He is also is a certified Cyber Essentials/IASME moderator and IBITG GDPR Practitioner. Since late 2016, he has developed an in-house GDPR Readiness Programme used by over 100 organisations across the UK, and delivered numerous training classes and talks on the topic of Cyber Security and GDPR.

    If you enjoyed this article, subscribe for updates

    Improve your knowledge with our free resources on EU GDPR regulations.

    You may unsubscribe at any time.

    For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.